12545a7c76
- Terraform + Ansible + K3s + Vault + Consul + Observability - Decentralized network architecture (own datacenters) - Complete Ansible playbooks: - bootstrap.yml: OS setup, packages, SSH - hardening.yml: Security (UFW, fail2ban, auditd, Trivy) - k3s-install.yml: Lightweight Kubernetes cluster - Production inventory with NODE1, NODE3 - Group variables for all nodes - Security check cron script - Multi-DC ready with Consul support
144 lines
4.3 KiB
YAML
144 lines
4.3 KiB
YAML
# DAARION Network - Bootstrap Playbook
|
|
# Initial setup for all nodes: packages, SSH, hostname, etc.
|
|
---
|
|
- name: Bootstrap all nodes
|
|
hosts: all
|
|
become: yes
|
|
|
|
vars:
|
|
common_packages:
|
|
- curl
|
|
- wget
|
|
- git
|
|
- htop
|
|
- vim
|
|
- jq
|
|
- unzip
|
|
- ca-certificates
|
|
- gnupg
|
|
- lsb-release
|
|
- net-tools
|
|
- dnsutils
|
|
- bc
|
|
|
|
tasks:
|
|
# =========================================================================
|
|
# BASIC SETUP
|
|
# =========================================================================
|
|
- name: Set timezone
|
|
timezone:
|
|
name: "{{ timezone }}"
|
|
|
|
- name: Set hostname
|
|
hostname:
|
|
name: "{{ inventory_hostname }}"
|
|
|
|
- name: Update /etc/hosts with all nodes
|
|
lineinfile:
|
|
path: /etc/hosts
|
|
line: "{{ hostvars[item].ansible_host }} {{ item }}"
|
|
state: present
|
|
loop: "{{ groups['all'] }}"
|
|
when:
|
|
- hostvars[item].ansible_host is defined
|
|
- hostvars[item].ansible_host != 'localhost'
|
|
|
|
# =========================================================================
|
|
# PACKAGES
|
|
# =========================================================================
|
|
- name: Update apt cache
|
|
apt:
|
|
update_cache: yes
|
|
cache_valid_time: 3600
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Upgrade all packages
|
|
apt:
|
|
upgrade: safe
|
|
when: ansible_os_family == "Debian"
|
|
|
|
- name: Install common packages
|
|
apt:
|
|
name: "{{ common_packages }}"
|
|
state: present
|
|
when: ansible_os_family == "Debian"
|
|
|
|
# =========================================================================
|
|
# USERS & SSH
|
|
# =========================================================================
|
|
- name: Create admin group
|
|
group:
|
|
name: daarion-admin
|
|
state: present
|
|
|
|
- name: Create directories
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: '0755'
|
|
loop:
|
|
- "{{ scripts_dir }}"
|
|
- "{{ config_dir }}"
|
|
- "{{ logs_dir }}"
|
|
- "{{ backup_dir }}"
|
|
|
|
# =========================================================================
|
|
# SSH HARDENING
|
|
# =========================================================================
|
|
- name: Disable root login via SSH (workers only)
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?PermitRootLogin'
|
|
line: 'PermitRootLogin prohibit-password'
|
|
notify: restart sshd
|
|
when: "'workers' in group_names"
|
|
|
|
- name: Set SSH MaxAuthTries
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?MaxAuthTries'
|
|
line: 'MaxAuthTries 3'
|
|
notify: restart sshd
|
|
|
|
- name: Set SSH ClientAliveInterval
|
|
lineinfile:
|
|
path: /etc/ssh/sshd_config
|
|
regexp: '^#?ClientAliveInterval'
|
|
line: 'ClientAliveInterval 300'
|
|
notify: restart sshd
|
|
|
|
# =========================================================================
|
|
# KERNEL PARAMETERS
|
|
# =========================================================================
|
|
- name: Set kernel parameters for containers
|
|
sysctl:
|
|
name: "{{ item.name }}"
|
|
value: "{{ item.value }}"
|
|
state: present
|
|
reload: yes
|
|
loop:
|
|
- { name: 'net.ipv4.ip_forward', value: '1' }
|
|
- { name: 'net.bridge.bridge-nf-call-iptables', value: '1' }
|
|
- { name: 'net.bridge.bridge-nf-call-ip6tables', value: '1' }
|
|
- { name: 'fs.inotify.max_user_watches', value: '524288' }
|
|
- { name: 'fs.inotify.max_user_instances', value: '512' }
|
|
ignore_errors: yes # Some params may not exist on all systems
|
|
|
|
# =========================================================================
|
|
# VERIFICATION
|
|
# =========================================================================
|
|
- name: Verify setup
|
|
debug:
|
|
msg: |
|
|
Node: {{ inventory_hostname }}
|
|
Host: {{ ansible_host }}
|
|
Datacenter: {{ datacenter | default('unknown') }}
|
|
Role: {{ node_role | default('unknown') }}
|
|
GPU: {{ gpu | default(false) }}
|
|
|
|
handlers:
|
|
- name: restart sshd
|
|
service:
|
|
name: sshd
|
|
state: restarted
|